Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1994970
  • 博文数量: 346
  • 博客积分: 10221
  • 博客等级: 上将
  • 技术积分: 4079
  • 用 户 组: 普通用户
  • 注册时间: 2009-06-01 19:43
文章分类

全部博文(346)

文章存档

2012年(1)

2011年(102)

2010年(116)

2009年(127)

我的朋友

分类: WINDOWS

2011-02-21 13:24:58

运行PowerShellPlus,出现
 
 
如果输错序列号会显示error messagebox
  

加断点 bp MessageBoxW
输入序列号,OK 断点起作用,

执行kb, 看到堆栈中显示
0012e458 7b7bf97b 00000000 00000000 00000000 System_Windows_Forms_ni+0x7efcf8
说明这是一个.NET程序.尝试用.NET Relector打开.看到错误
Invalid number of data directories in NT header.

执行 !dumpdomain,显示已加载的.NET dll, 从结果中知道,PowerShellPlus调用了
Microsoft.PowerShell.Commands.Management.dll|
Microsoft.PowerShell.Security.dll
Microsoft.PowerShell.Commands.Utility.dll
Microsoft.PowerShell.ConsoleHost.dll
有关License的Assembly为 C:\Program Files\Idera\PowerShellPlus\License4Net.dll

执行 !clrstack,显示

0:000> !clrstack
OS Thread Id: 0x280c (0)
ESP EIP
0012e368 7e466534 [NDirectMethodFrameStandalone: 0012e368] System.Windows.Forms.SafeNativeMethods.MessageBox(System.Runtime.InteropServices.HandleRef, System.String, System.String, Int32)
0012e384 7b7bfcf8 System.Windows.Forms.MessageBox.ShowCore(System.Windows.Forms.IWin32Window, System.String, System.String, System.Windows.Forms.MessageBoxButtons, System.Windows.Forms.MessageBoxIcon, System.Windows.Forms.MessageBoxDefaultButton, System.Windows.Forms.MessageBoxOptions, Boolean)
0012e388 7b7bf97b [InlinedCallFrame: 0012e388] 
0012e460 7b194190 System.Windows.Forms.Control.OnClick(System.EventArgs)

0012e944 7b7227c3 System.Windows.Forms.Form.ShowDialog()
0012e948 048e7c61Idera.Tools.Core.Form_Welcome.linkNewLicenseKey_LinkClicked(System.Object, System.Windows.Forms.LinkLabelLinkClickedEventArgs)
0012e95c 7b87a5b1 System.Windows.Forms.LinkLabel.OnLinkClicked(System.Windows.Forms.LinkLabelLinkClickedEventArgs)

0012ee34 7b7227c3 System.Windows.Forms.Form.ShowDialog()
0012ee38 018cd49e Idera.Tools.Core.LicenseUI.StartupLicenseCheck()
0012ee58 018cd1fe PSP.PSPlusApp.eCWYV2J36e(Boolean)
0012ee88 018ccb1f PSP.PSPlusApp..ctor()

Idera.Tools.Core.Form_Welcome.linkNewLicenseKey_LinkClicked对应了Welcome form中的链接”Register New License Key” 
执行!ip2md 048e7c61,显示linkNewLicenseKey_LinkClicked的Method Desc

0:000> !ip2md 048e7c61
MethodDesc: 01d10514
Method Name: Idera.Tools.Core.Form_Welcome.linkNewLicenseKey_LinkClicked(System.Object, System.Windows.Forms.LinkLabelLinkClickedEventArgs)
Class: 01c06ff0
MethodTable: 01d10568
mdToken: 0600001b
Module: 0193c78c
IsJitted: yes
CodeAddr: 048e7c40

执行!u 01d10514,反汇编linkNewLicenseKey_LinkClicked

0:000> !u 01d10514
Normal JIT generated code
Idera.Tools.Core.Form_Welcome.linkNewLicenseKey_LinkClicked(System.Object, System.Windows.Forms.LinkLabelLinkClickedEventArgs)
Begin 048e7c40, size 4a
048e7c40 55 push ebp
048e7c41 8bec mov ebp,esp
048e7c43 57 push edi
048e7c44 56 push esi
048e7c45 8bf9 mov edi,ecx
048e7c47 b924028d04 mov ecx,offset +0x48d0223 (048d0224) (MT: Idera.Tools.Core.Form_AddLicense)
048e7c4c e866095a75 call mscorwks!JIT_NewCrossContext (79e885b7)
048e7c51 8bf0 mov esi,eax
048e7c53 8bce mov ecx,esi
048e7c55 e82eccfbff call +0x48a4887 (048a4888) (Idera.Tools.Core.Form_AddLicense..ctor(), mdToken: 06000007)
048e7c5a 8bce mov ecx,esi
048e7c5c e807008776 call System_Windows_Forms_ni+0x187c68 (7b157c68) (System.Windows.Forms.Form.ShowDialog(), mdToken: 

输入序列号的对话框为Idera.Tools.Core.Form_AddLicense
执行!dumpheap -type Idera.Tools.Core.Form_AddLicense, 得到其Address

0:000> !dumpheap -type Idera.Tools.Core.Form_AddLicense
Address    MT           Size
01f181c8 048d0224 344
total 1 objects
Statistics:
MT Count TotalSize Class Name
048d0224 1 344 Idera.Tools.Core.Form_AddLicense
Total 1 objects

执行!do 01f181c8,得到Idera.Tools.Core.Form_AddLicense的字段值

0:000> !do 01f181c8
Name: Idera.Tools.Core.Form_AddLicense
MethodTable: 048d0224
EEClass: 0489bc9c
Size: 344(0×158) bytes
(ToolsCore, Version=1.2.0.62, Culture=neutral, PublicKeyToken=null)
Fields:
MT Field Offset Type VT Attr Value Nam

79330a00 4000003 13c System.String            0 instance 01e61198 licenseKey
7b21e9d0 4000006 148 …ows.Forms.TextBox 0 instance 01f18874textBox_NewKey

先看看licenseKey的值. 执行!do 01e61198

0:000> !do 01e61198 
Name: System.String
MethodTable: 79330a00
EEClass: 790ed64c
Size: 18(0×12) bytes
(C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll)
String: 
Fields:
MT Field Offset Type VT Attr Value Name
79332c4c 4000096 4 System.Int32 1 instance 1 m_arrayLength
79332c4c 4000097 8 System.Int32 1 instance 0 m_stringLength
793316e0 4000098 c System.Char 1 instance 0 m_firstChar
79330a00 4000099 10 System.String 0 shared static Empty
>> Domain:Value 0014c300:01e61198 <<
79331630 400009a 14 System.Char[] 0 shared static WhitespaceChars
>> Domain:Value 0014c300:01e61740 <<

其值为空,不知这个licenseKey的用意何在.

再看textBox_NewKey中的值是不是qqq. 执行!do 01f18874,显示

0:000> !do 01f18874
Name: System.Windows.Forms.TextBox
MethodTable: 7b21e9d0
EEClass: 7afdccc0
Size: 168(0xa8) bytes (C:\WINDOWS\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll)
Fields:
MT Field Offset Type VT Attr Value Name

79330a00 4001130 20 System.String 0 instance 00000000 text

其Text值到底放在哪?

查看Idera.Tools.Core.Form_AddLicense上定义的方法
执行!dumpmt -md 048d0224 ,显示

:000> !dumpmt -md 048d0224 
EEClass: 0489bc9c
Module: 0193c78c
Name: Idera.Tools.Core.Form_AddLicense
mdToken: 02000003  (ToolsCore, Version=1.2.0.62, Culture=neutral, PublicKeyToken=null)
BaseSize: 0×158
ComponentSize: 0×0
Number of IFaces in IFaceMap: 15
Slots in VTable: 378
————————————–
MethodDesc Table
   Entry      MethodDesc   JIT Name
048a48b8   048d01b0      JIT Idera.Tools.Core.Form_AddLicense.button_OK_Click(System.Object, System.EventArgs)

执行 !u 048d01b0 , 反汇编 Idera.Tools.Core.Form_AddLicense.button_OK_Click     

0:000> !u 048d01b0 
Normal JIT generated code
Idera.Tools.Core.Form_AddLicense.button_OK_Click(System.Object, System.EventArgs)
Begin 04948100, size f5
04948100 55              push    ebp
04948101 8bec            mov     ebp,esp
04948103 57              push    edi
04948104 56              push    esi
04948105 53              push    ebx
04948106 8bf9            mov     edi,ecx
04948108 8bb748010000    mov     esi,dword ptr +0×147 (00000148)[edi]
0494810e 8b8f48010000    mov     ecx,dword ptr +0×147 (00000148)[edi]
04948114 8b01            mov     eax,dword ptr [ecx]
04948116 ff9064010000    call    dword ptr +0×163 (00000164)[eax]
0494811c 3900            cmp     dword ptr [eax],eax
0494811e 6a02            push    2
04948120 8b153010e802    mov     edx,dword ptr [+0x2e8102f (02e81030)] (Object: System.Char[])
04948126 8bc8            mov     ecx,eax
04948128 e813ad9974      call    mscorlib_ni+0x222e40 (792e2e40) (System.String.TrimHelper(Char[], Int32), mdToken: 060001b7)
0494812d 8bd0            mov     edx,eax
0494812f 8bce            mov     ecx,esi
04948131 8b01            mov     eax,dword ptr [ecx]
04948133 ff9068010000    call    dword ptr +0×167 (00000168)[eax]
04948139 e8f2f69374      call    mscorlib_ni+0x1c7830 (79287830) (System.Reflection.Assembly.GetExecutingAssembly(), mdToken: 06001c31)
0494813e 8bc8            mov     ecx,eax
04948140 8b01            mov     eax,dword ptr [ecx]
04948142 ff504c          call    dword ptr [eax+4Ch]
04948145 8bd8            mov     ebx,eax
04948147 b9e803df01      mov     ecx,offset +0x1df03e7 (01df03e8) (MT: Idera.Tools.Core.BBSProductLicense)
0494814c e8cb9ebefc      call    +0x153201b (0153201c) (JitHelp: CORINFO_HELP_NEWSFAST)
04948151 8bf0            mov     esi,eax
04948153 8b5b18          mov     ebx,dword ptr [ebx+18h]
04948156 8b8f48010000    mov     ecx,dword ptr +0×147 (00000148)[edi]
0494815c 8b01            mov     eax,dword ptr [ecx]
0494815e ff9064010000    call    dword ptr +0×163 (00000164)[eax]
04948164 50              push    eax
04948165 8bd3            mov     edx,ebx
04948167 8bce            mov     ecx,esi
>>> 04948169 e8d257fdfc      call    +0x191d93f (0191d940) (Idera.Tools.Core.BBSProductLicense..ctor(System.Version, System.String), mdToken: 0600003b)
0494816e 8d460c          lea     eax,[esi+0Ch]
04948171 83781400      cmp     dword ptr [eax+14h],0
04948175 751e            jne     +0×4948194 (04948195)           //–关键!跳入失败分支 04948195    
04948177 8d460c          lea     eax,[esi+0Ch]
0494817a 80781c00        cmp     byte ptr [eax+1Ch],0
0494817e 7449            je      +0x49481c8 (049481c9)          //–跳入成功分支 049481c9
04948180 8d460c          lea     eax,[esi+0Ch]
04948183 8b480c          mov     ecx,dword ptr [eax+0Ch]
04948186 8b154421e802    mov     edx,dword ptr [+0x2e82143 (02e82144)] ("None")
0494818c e8df999974      call    mscorlib_ni+0x221b70 (792e1b70) (System.String.Equals(System.String, System.String), mdToken: 06000143)
04948191 85c0            test    eax,eax
04948193 7434            je      +0x49481c8 (049481c9)          //–跳入成功分支 049481c9
04948195
 8d460c          lea     eax,[esi+0Ch]
04948198 8b5814          mov     ebx,dword ptr [eax+14h]
0494819b 8b8f48010000    mov     ecx,dword ptr +0×147 (00000148)[edi]
049481a1 8b01            mov     eax,dword ptr [ecx]
049481a3 ff9064010000    call    dword ptr +0×163 (00000164)[eax]
049481a9 50              push    eax
049481aa 8bd3            mov     edx,ebx
049481ac 8bce            mov     ecx,esi
049481ae ff150801df01    call    dword ptr [+0x1df0107 (01df0108)] (Idera.Tools.Core.BBSProductLicense.GetErrorMessage(LicenseState, System.String), mdToken: 0600003d)
049481b4 ff35f821e802    push    dword ptr [+0x2e821f7 (02e821f8)] ("Invalid License Key")
049481ba 6a00            push    0
049481bc 6a10            push    10h
049481be 8bd0            mov     edx,eax
049481c0 8bcf            mov     ecx,edi
049481c2 e89d77e776      call    System_Windows_Forms_ni+0x7ef964 (7b7bf964) (System.Windows.Forms.MessageBox.Show(System.Windows.Forms.IWin32Window, System.String, System.String, System.Windows.Forms.MessageBoxButtons, System.Windows.Forms.MessageBoxIcon), mdToken: 060048b4)
049481c7 eb25            jmp     +0x49481ed (049481ee)          //–退出函数
049481c9 8b8f48010000    mov     ecx,dword ptr +0×147 (00000148)[edi]          //– 成功的分支
049481cf 8b01            mov     eax,dword ptr [ecx]
049481d1 ff9064010000    call    dword ptr +0×163 (00000164)[eax]
049481d7 8d973c010000    lea     edx,+0x13b (0000013c)[edi]
049481dd e8deab5275      call    mscorwks!JIT_WriteBarrierEAX (79e72dc0)
049481e2 8bcf            mov     ecx,edi
049481e4 ba01000000      mov     edx,offset (00000001)
049481e9 e8ba1b8076      call    System_Windows_Forms_ni+0x179da8 (7b149da8) (System.Windows.Forms.Form.set_DialogResult(System.Windows.Forms.DialogResult), mdToken: 06003cf9)
049481ee 5b              pop     ebx
049481ef 5e              pop     esi
049481f0 5f              pop     edi
049481f1 5d              pop     ebp
049481f2 c20400          ret     4

以上代码首先构造 一个Idera.Tools.Core.BBSProductLicense对象. 其构造器形如
BBSProductLicense(System.Version, “qqq”),根据传入的值设置BBSProductLicense对象的属性
此时esi 是指向BBSProductLicense对象, 
0:000> r
eax=01f5a7f0 ebx=01f5a7cc ecx=01f5aae0 edx=00000001 esi=01f5a7e4 edi=01ece89c
eip=04948171 esp=0012e434 ebp=0012e440 iopl=0         nv up ei ng nz ac po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000293
0:000> !do 01f5a7e4 
Name: Idera.Tools.Core.BBSProductLicense
MethodTable: 01df03e8
EEClass: 01b86990
Size: 48(0×30) bytes
(ToolsCore, Version=1.2.0.62, Culture=neutral, PublicKeyToken=null)
Fields:
      MT    Field            Offset                 Type     VT     Attr    Value Name
01df0394  4000055        c …cense+LicenseData  1 instance 01f5a7f0 licenseData
79330a00  4000056        4        System.String    0 instance 01f5aac0 m_scopeString
793325a8  4000057        8       System.Version   0 instance 01f5a7cc m_productVersion

esi+0Ch 指向BBSProductLicense对象的属性licenseData,这是一个Vaule Type,
0:000> !dumpvc 01df0394 01f5a7f0 
Name: Idera.Tools.Core.BBSProductLicense+LicenseData
MethodTable 01df0394
EEClass: 01b869f4
Size: 40(0×28) bytes
(ToolsCore, Version=1.2.0.62, Culture=neutral, PublicKeyToken=null)
Fields:
      MT    Field            Offset               Type VT     Attr    Value Name
01df0244  4000058       14         System.Int32  1 instance        1 licState
79330a00  4000059        0        System.String  0 instance 01f5a85c key
793044cc  400005a       1c       System.Boolean  1 instance        0 isTrial
79330a00  400005b        4        System.String  0 instance 01eb6f80 typeStr
79330a00  400005c        8        System.String  0 instance 01eb6fc4 forStr
79330a00  400005d       c        System.String  0 instance 01f5ab0c expirationDateStr
79330a00  400005e       10        System.String  0 instance 01f5ab94 daysToExpireStr
79332c4c  400005f       18         System.Int32  1 instance        0 daysToExpire
793044cc  4000060       1d       System.Boolean  1 instance        1 isAboutToExpire

esi+0Ch+14h 是licState的属性,如果不为0,显示错误提示
接着,检查isTrial属性
04948177 8d460c          lea     eax,[esi+0Ch]
0494817a 80781c00      cmp     byte ptr [eax+1Ch],0
0494817e 7449             je      +0x49481c8 (049481c9)   
如果为0,就退出,否则进一步检查 expirationDateStr
04948180 8d460c          lea     eax,[esi+0Ch]
04948183 8b480c          mov     ecx,dword ptr [eax+0Ch]  
04948186 8b154421e802    mov     edx,dword ptr [+0x2e82143 (02e82144)] ("None")
0494818c e8df999974      call    mscorlib_ni+0x221b70 (792e1b70) (System.String.Equals(System.String, System.String), mdToken:

给BBSProductLicense的构造器打断点
!bpmd ToolsCore Idera.Tools.Core.BBSProductLicense..ctor
反汇编
0:000> !u 0191d940 
Normal JIT generated code
Idera.Tools.Core.BBSProductLicense..ctor(System.Version, System.String)
Begin 0191d940, size 70
>>> 0191d940 55              push    ebp

0191d9a4 ff15a401df01    call    dword ptr [+0x1df01a3 (01df01a4)] (Idera.Tools.Core.BBSProductLicense.FillLicenseData(System.String), mdToken: 0600004a)
0191d9aa 5e              pop     esi
0191d9ab 5f              pop     edi
0191d9ac 5d              pop     ebp
0191d9ad c20400          ret     4

接着反汇编 Idera.Tools.Core.BBSProductLicense.FillLicenseData
0:000> !u 04946578 
Normal JIT generated code
Idera.Tools.Core.BBSProductLicense.FillLicenseData(System.String)
Begin 04946578, size 13f
>>> 04946578 55              push    ebp
04946579 8bec            mov     ebp,esp
0494657b 57              push    edi

049465bd ff15d401df01    call    dword ptr [+0x1df01d3 (01df01d4)] (Idera.Tools.Core.BBSProductLicense.LoadAndValidateLicense(System.String,BBS.License.BBSLic ByRef), mdToken: 0600004e)

最终找到真正负责License的组件BBS.License.BBSLic 
0:000> !dumpmt 01dffebc        
EEClass: 048facd4
Module: 01df0f50
Name: BBS.License.BBSLic
mdToken: 02000003  (C:\Program Files\Idera\PowerShellPlus\License4Net.dll)
BaseSize: 0xc
ComponentSize: 0×0
Number of IFaces in IFaceMap: 1
Slots in VTable: 45
最核心的函数为
public unsafe LicErr LoadKeyString(string Key)
{
  LicErr oK = LicErr.OK;
  sbyte modopt(IsSignUnspecifiedByte)* numPtr = (sbyte modopt(IsSignUnspecifiedByte)*) Marshal.StringToHGlobalAnsi(Key).ToPointer();
  switch (CLicense.LoadKeyString(this.pLic, numPtr))
  {
      case 1:
          oK = LicErr.NotBase64;
          break;

      case 2:
          oK = LicErr.UnsupportedKeyVersion;
          break;

      case 3:
          oK = LicErr.InvalidLength;
          break;

      case 4:
          oK = LicErr.ChecksumError;
          break;

      case 6:
          oK = LicErr.FutureKey;
          break;
  }
  Marshal.FreeHGlobal((IntPtr) numPtr);
  return oK;

CLicense的代码被加密,里面到处是jump,此路不通.

This entry was posted in Debug. Bookmark the permalink.
阅读(4326) | 评论(1) | 转发(0) |
给主人留下些什么吧!~~

chinaunix网友2011-03-05 13:36:25

很好的, 收藏了 推荐一个博客,提供很多免费软件编程电子书下载: http://free-ebooks.appspot.com